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SUMMARY We consider the problem of secret key agree- 
ment in Gaussian Maurer's Model. In Gaussian Maurer's model, 
legitimate receivers, Alice and Bob, and a wire-tapper. Eve, re- 
ceive signals randomly generated by a satellite through three in- 
dependent memoryless Gaussian channels respectively. Then Al- 
ice and Bob generate a common secret key from their received 
signals. In this model, we propose a protocol for generating a 
common secret key by using the result of soft-decision of Alice 
and Bob's received signals. Then, we calculate a lower bound 
on the secret key rate in our proposed protocol. As a result of 
comparison with the protocol that only uses hard-decision, we 
found that the higher rate is obtained by using our protocol. 
key words: advantage distillation, AWGN, information theo- 
retic security, key agreement, privacy amplification, public dis- 



1. Introduction 

As one of fundamental problems in cryptography, we 
will consider the problem of secret key agreement in 
this paper. That is to say, we will consider how to gen- 
erate a common secret key by two parties not sharing 
such a key initially in the situation that a wire-tapper 
has access to the communication channel between two 
parties. Many models of this problem were presented 
and and analyzed in the literatures [l]-[4]. Recently, 
key agreement over wireless channel is experimentally 
studied [6]. 

Maurer [5] and Ahlswede and Csiszar [7] consid- 
ered the interactive model of secret key agreement from 
an initially shared partially secret string by communi- 
cation over a public channel. 

Maurer [5] considered the following model. Two 
parties, Alice and Bob, who want to share a secret key, 
and the wire-tapper, Eve, receive the bits randomly 
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generated by a satellite over independent binary sym- 
metric channels (BSC) respectively. We call this model 
Maurer's model. Maurer [5] proposed an interactive 
protocol in his model, and he showed a lower bound 
on key rates at which Alice and Bob can agree a secret 
key. Note that the key rate is defined as length of the 
secret key generated by Alice and Bob per channel use 
by the satellite. 

In Maurer's original model and protocol, channels 
are assumed to be BSC, and received signals are as- 
sumed to be digital signals. However, signals in prac- 
tical channels are analogue. Recently, key agreement 
over wireless channel is experimentally studied by Aono 
et al. [6]. However, information theoretic analysis of 
the key agreement over analogue channels has not suf- 
ficiently conducted. In order to close the gap between 
Maurer's results and the experimental study, we will 
modify Maurer's model to use Gaussian channels in- 
stead of BSC, which we call Gaussian Maurer's model. 

In Gaussian Maurer's model, Alice and Bob can 
use the results of soft-decision of analogue received sig- 
nals. They can determine the reliability information 
from this results and use it for generating a common 
secret key. In this paper, we will propose a protocol for 
secret key agreement using the reliability information. 
Then, we calculate key rates at which Alice and Bob 
can agree a secret key in our proposed protocol. 

Considering the situation that Alice, Bob, and Eve 
hard-detect the signals that are sent out by the satel- 
lite, Maurer's original model can be seen as the special 
case of Gaussian Maurer's model. Thus, we can com- 
pare the protocol in Gaussian Maurer's model and one 
in BSC Maurer's model. In order to show advantage 
to use reliability information, we will compare the key 
rate in our proposed protocol and the key rate in Mau- 
rer's protocol in which Alice and Bob use only hard- 
decision, that uses only hard-decision. From the result 
of this comparison, we will show that the higher key 
rate is obtained by using our proposed protocol than 
the protocol that only uses hard-decision. 

Rest of this paper is organized as follows. In sec- 
tion 2, we will introduce Maurer's model modified to 
use Gaussian channels instead of BSC. In section 3, we 
will show our proposed protocol using reliability infor- 
mation. In section 4, we will compare our proposed 
protocol and Maurer's protocol with hard-decision. In 
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appendices, we will prove the lemmas that is needed for 
the proof of theorem that derives a lower bound on key 
rates at which Alice and Bob can agree a secret key. 



Definition 2 The secret key rate for given noise vari- 
ances Va, Vb, and Ve, denoted Rs{Va,Vb,Ve), is the 
supremum of all achievable rate. 



2. Secret Key Rate in Gaussian Maurer's 
Model 

Consider the following key agreement problem, which 
we call Gaussian Maurer's model. Assume that a satel- 
lite randomly generates signals and sends it to two par- 
ties Alice and Bob who want to share secret key and 
the wire-tapper Eve over three independent memory- 
less Gaussian channels. Their noises at time i, denoted 



(i) 

and N^ , are drawn from independently 



Alii) j^(i) 

identically distributed (i.i.d.) Gaussian distributions 
with mean and variances Va, Vb, and Ve respec- 
tively. A sequence of signals that the satellite gener- 
ates at time 1 to n, denoted [/" = [[/(i), . . . , t/(")], 
is drawn from a distribution Pjjn on a signal set in 
R" and this sequence of signals satisfies power con- 
straint ^ X]"=i("^''')^ — 1 for all sequences u". Alice, 
Bob, and Eve receive AT" = [X'^'^\ . . . ,X^% F" = 
[r(i),...,r(")],and Z" = [Z(i),...,Z(")], as outputs 
of these three channels at time 1 to n respectively. They 
are assumed to know the distribution Pijn and noise 
variances Va, Vb, and Ve- Note that capital letters de- 
note random variables and corresponding small letters 
denote realizations in this paper. 

After Alice, Bob, and Eve receive signals, Alice and 
Bob communicate over a public channel. This channel 
is assumed to be noiseless and discrete, and its capacity 
is finite. Every messages communicated between Alice 
and Bob can be intercepted by Eve, but it is assumed 
that Eve cannot fraudulent messages nor modify mes- 
sages on this public channel without being detected. 
Let C be the entire communication held over this public 
channel. After enough communication over the public 
channel, Alice computes a secret key 5 on a key al- 
phabet 5 as a function of her received signals X" and 
all information C over the public channel. In a similar 
way. Bob computes a secret key S' on 5 as a function of 
F" and C. The secret key rate in this model is defined 
as follows. Note that we will take all logarithms to be 
base 2, and hence all the entropies will be measured in 
bits. 

Definition 1 For given noise variances Va, Vb, and 
Ve , a rate R is said to be achievable if for every e > 
there exists a protocol for sufficiently large n satisfying 



and 



Pr[S ^ S'] < e, 
H{S\CZ'')>\og\S\-e 

- log \S\> R- e. 



(1) 
(2) 

(3) 



where 151 denotes the number of the elements in S. 



3. Secret Key Agreement by Soft-Decision of 
Signals 

In this section, we will propose a protocol that uses 
reliability information of signals and calculate a lower 
bound on the secret key rate in this protocol. 

In our proposed protocol, the satellite selects input 
signal C/^'^ i.i.d. according to a distribution Pu{^) — 
Pu{-1) ^ \. Thus, the received signals AT^*), y('), Z**) 
are also i.i.d. respectively. 

Let fli, . . . , aK be a positive monotonically increas- 
ing sequence, and let E\, . . . ,Ek be sets, where jth 
level set is defined as E^ = 



J,j, U-jJ 



(j = l,...,i^). 



The procedures of our proposed protocol is as fol- 
lows. 

1. From the received signal X^'^^ at time i, Alice de- 
termines reliability information W \ as 



< = 



ifxWe^i 

3 \iX^^ ^Ef\E-^^{j 



,K) 



K ifxWe^ 



K 



where the set E'^ is the complementary set of the 
set Ej in the set of real numbers M, and E'hE'^j^^ = 
E'j n -Ej+i is the difference set. Similarly, from 
the received signal F^*) at time i, Bob determine 
reliability information W^ as 



I^« = 



B 

ff y(') e El 

J if y(«) e E-\E-^^ (j 

K if y(*) e E'l^ 



2. Alice and Bob send sequences PF^ 



[W^\ 



and W^ = [W^b\ 



,K) 



■ ^ '^ A 



Wg'] over the public chan- 
nel. From these messages, they can know the sets 
containing their received signals. 
Alice and Bob quantize X" and F" into discrete 

is de- 



(») 



random variables X^ and Y^, where X^ 
fined as 



X 



A 



ff a:« >o, 
ff a:« < 0, 



(4) 



.(z) 



and Y^ is similarly defined as 



Y, 



(i) 



ff y« > 0, 
ff y« < 0. 



For given {W^\w^^) = {wa,wb) 
ambiguity H{Xa\Z,Wa — wa,Wb 
X^ is smaller than Bob's ambiguity H{Xa\Y,Wa 



(5) 

if Eve's 
wb) about 



NAITO ot al.: SECRET KEY AGREEMENT BY SOFT-DECISION OF SIGNALS IN GAUSSIAN MAURER'S MODEL 



waj^b — ^b) about X^ , then wc should dis- 
card X^' in our protocol Indeed, if we keep X^ 

for such (W^' ,Wg') — {wa,wb), then a negative 
term is added to the lower bound on a secret key 
rate shown in Eq. (12). Furthermore, if the differ- 
ence between Eve and Bob's ambiguity about X^' is 
smaller than the difference between Eve's ambiguity 
H{Ya\Z,Wa = wa,Wb = wb) about Y^^ and Al- 
ice's ambiguity H{Ya\X,Wa = wa,Wb — wb) about 
y^ , we should generate a secret key from Y^ in- 

stead of X^' . For this purpose, we consider the sets 
A,B C {1, . . . , K} X {1, . . . , K}, which are defined as 

A ^ {{wa,wb)\ 

H{Xa\Z, Wa - WA, Wb = wb) 

- H{Xa\Y, Wa - WA, Wb - wb) 

> max{0, H{Ya\Z, Wa = wa,Wb = wb) 

- HiYA\X, Wa = WA, Wb - wb)}}, 
B = {{wa,wb)\ 

H{Ya\Z,Wa^wa,Wb=wb) 

- HiYA\X, Wa = WA, Wb = wb) 

> max{0, H{Xa\Z, Wa - wa, Wb = wb) 

- H{Xa\Y, Wa - wa, Wb = wb)}}. 



a(») Ti/(i) 



(i) 



If given (W)^ , Wg ) is in the set A, we use X^' for gen- 
erating a secret key, otherwise we discard X^ . Simi- 
larly, if given (Wjl ,Wg ) is in the set B, we use Y^' 

~ (i) 

for generating a secret key, otherwise we discard Y^ . 
Thus, we determine discrete random variables 



X 



(i) 



.(z) 



(i) w(»)^ 



X'l> iiiW'^>,W'^>)eA 







otherwise. 



and 



Y. 



(«) 



(i) 



ii{wx',w-, 

otherwise 



(i)^ 



eB, 



(6) 



(7) 



and we use them for generating a secret key instead of 
Xf' a.ndY^\ 

4. According to the rule in Eq. (6), Alice determines 
XI from W2,W§, and X^. Similarly, Bob deter- 
mines Yl from WX,Wg, and Y^. 

5. Alice sends partial information of A^ as a public 
message Ma on A^^i in order to share A^ with 
Bob. Similarly, Bob sends partial information of 
Y^ as a public message Mb on Mb- 

6. Alice decodes Mb, A", and the reliability informa- 
tion {Wa,Wb) into the estimation Y^. Similarly, 
Bob decodes Ma, Y", and the reliability informa- 
tion {Wa,Wb), into the estimation A^. 

7. Let JF be a set of two-universal hash function [81 



(see also Appendix B.l) from {0, 1}" x {0, 1}" to 
S. Alice randomly choose a hash function / e !F, 
and publicly tells the choice to Bob. Then, Alice 
and Bob's final keys are S = f{X\, Y^) and S' = 
/(AX, 1a) respectively. 

In order to guarantee that Alice and Bob can com- 
pute the same key in step 6, we set the rate — log \M.a\ 
and i log \Mb\ of public messages according to the fol- 
lowing lemma, which is derived by modifying "Slepian- 
Wolf Coding" [9] for continuous random variables. 

Lemma 1 Suppose that we set 



1 



loglMAl > H{Xa\YWaWb) 



and 



-\og\MB\> H{Ya\XWaWb), 
n 



(8) 



(9) 



then there exist encoders and decoders such that the de- 
coding error probabilities PrjA^ 7^ A^} and Prjl^ 7^ 
y^} tend to as n ^ 00. 

Thus, Eq. (1) is satisfied for sufficiently large n. 

In order to guarantee the security of the protocol, 
we set the key rate ilog|S'| according to the follow- 
ing lemma, which is derived by modifying the so-called 
"left over hash lemma" [10]-[12] for continuous random 
variables. 

Lemma 2 Suppose that we set 

-\og\S\ < H(XaYa\ZWaWb) --\og\MA\\MB\, 
n n 

(10) 
then 

H{S\Z'^WIW]^MaMbF) > \og\S\ - e (11) 

is satisfied for sufficiently large n. 

Note that i^ is a random variable on J^, and all in- 
formation C over the public channel correspond to 
{W2, WJ^,Ma,Mb, F) in this case. 

From Eqs. (8)-(10), we obtain the following the- 
orem that gives a lower bound on secret key rate 
Rs{yA, Vb, Ve) in this protocol. 

Theorem 1 By using our proposed protocol, we 
achieve the lower bound on the secret key rate 
Rs{Va,Vb,Ve) &s 

Rs{Va,Vb,Ve) 
> H{XaYa\ZWaWb) - H{Xa\YWaWb) 

-H{Ya\XWaWb). (12) 

Note that from the rule in Eqs. (6)-(7). ,we can rewrite 
the Eq. (12) as 
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n^ 0.5 





§ 0.4 
|03 




"S 0.2 





Proposed NNR=-2 
Proposed NNR=2 
Proposed NNR=6 




SNR [dB] 

Fig. 1 The relation between SNR and the key rate in our pro- 
posed protocol for several NNR. 



H{XaYa\ZWaWb) - H{Xa\YWaWb) 
-H{Ya\XWaWb) 

= X! PwaWb{'WA,Wb) 

WA-WB 

X max{0, H{Xa\Z, Wa = wa, Wb = wb) 

- H{Xa\Y, Wa - wa,Wb = wb), 

HiYA\Z,WA=WA,WB^WB) 

- H{Ya\X, Wa = WA, Wb = wb)}. 

For fixed (Wa^Wb) = {wa,wb), H{Xa\Z,Wa = 
wa,Wb = Wb) ~ li{XA\Y,WA = wa,Wb = wb)Js 
lower bound on the secret key rate when we use only X"^ 
for generating a secret key, H{Ya\Z, Wa = wa,Wb = 
Wb) — H{Ya\X, Wa = wa, Wb = wb) is lower bound 
on the secret key rate when we use only Y^ for gener- 
ating a secret key, and is trivial lower bound on the 
secret key. By the rule in Eqs. (6)-(7), we choose the 
maximum among these lower bounds on secret key rate 
for each (wa, wb) in order to make the lower bound on 
the secret key rate as high as possible. 

Note that encoding in step 5 and decoding in step 
6 are implementable by using low-density parity check 
codes [13], [14]. 

4. Comparison to a Protocol with Hard- 
Decision 

In this section, we will show the relation between signal- 
to-noise ratio (SNR) and the key rate achieved by 
our proposed protocol for several noise-to-noise ratio 
(NNR) . We will also show the comparisons between the 
key rate achieved by our proposed protocol and the key 
rate achieved by the protocol that Alice and Bob use 
only hard-decision for generating a secret key. 

The relation between (SNR) and the key rate 
achieved by our proposed protocol for several NNR is 
presented in Fig. 1, where sets Ei, E2, and E3 are de- 
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Fig. 2 The key rates achieved by our proposed protocol and 
Maurer's protocol. 



termined from fixed a\ 



!,a2 



r.as 



1 in our 



proposed protocol. Note that SNR is defined as -^ 
and NNR is defined as ^, and we assume Va — Vb- 
From this figure, we observe that we do not obtain a 
high key rate when SNR is too high or too low. 
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In order to show advantage to use soft-decision, we 
compare the key rate achieved by our proposed protocol 
and the key rate achieved by Maurer's protocol in which 
Alice and Bob use only hard-decision for generating a 
secret key. The result of this comparison is presented 
in Figs. 2(a)-2(c). In this comparison sets Ei, E2, and 



E3 are determined from fixed ai 



,02 



, 03 = 1 



in our proposed protocol, and the block length of rep- 
etition code used in Maurer's protocol is optimally se- 
lected from 1 to 10 for each NNR. From these figures, 
we observe that we obtain a larger key rate by our pro- 
posed protocol than by Maurer's protocol with all value 
of NNR. Note that in Gaussian Maurer's model, we 
should calculate the key rate by Maurer's protocol for 
Eve who can use continuous random variables Z" to 
guess the secret key. However, the numerical calcula- 
tion of the key rate by Maurer's protocol in Gaussian 
Maurer's model is difficult when the block length of rep- 
etition code used in his protocol is 2 or larger. Thus, we 
calculate the key rate in BSC Maurer's model instead 
of Gaussian Maurer's model when the block length of 
repetition code used in his protocol is 2 or larger. In the 
calculation of the key rate in BSC Maurer's model, we 
consider the situation that Alice, Bob, and Eve hard- 
detect received signals according to the similar rule as 
in Eqs. (4) and (5). In this situation, we can convert 
three Gaussian channels into independent binary sym- 
metric channels with error probabilities e^, es, ce given 

by 



1 , 

iA = ^erfc 



££ = -^erfc 



1 

Va 

M 



CB 




Vsr 



(13) 



where the complementary error function erfc{z) is de- 
fined as 

2 



erfc{z) 



(14) 



Note that this way of the comparison gives Maurer's 
protocol advantage because a wire-tapper in Gaussian 
Maurer's model is more powerful than in BSC Mau- 
rer's model. ''^ Hence, the key rate achieved by Maurer's 
protocol in Gaussian Maurer's model is lower than that 
presented in Figs. 2(a)-2(c). 

5. Conclusion 

In this paper, we have proposed Gaussian Maurer's 
model and the protocol with reliability information 
based on the result of the soft-decision in this model. 
As a result, we have obtained a higher key rate than 
Maurer's protocol. This is because that the correlation 

^The wire-tapper in BSC Maurer's model can use con- 
tinuous random variables Z" to guess the secret key, but 
one in BSC Maurer's model can only use quantized versions 
of them. 



between Xa in Eq. (6) and Y and between Ya in Eq. (7) 
and X obtained by using the reliability information is 
stronger than the correlation between Xa in Eq. (4) 
and Ia in Eq. (5) obtained by using the hard-decision. 
However, we do not know the optimal way to de- 
termine sets El, ... , Ek and its number K. Intuitively, 
one may think that the more sets we use, the higher 
rate we obtain. However, this intuition does not seem 
to be always true. Actually, there exists the case that 
we cannot obtain higher key rate though we use many 
sets. Furthermore, we have to find the optimal signal 
constellation used by the satellite. These problems are 
future research agenda. 
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Appendix A: Proof of lemma 1 

We only prove that if we set the rate ^ log \A4a\ of pub- 
lic message according to Eq. (8), then there exist en- 
coders and decoders such that the decoding error prob- 
abihties PrlX^, 7^ ^a} tends to as n ^ 00. The 
proof for the rate - log \A4b\ of public message follows 
by symmetry. 

We use the so-called "bin coding" proposed by 
Cover [15] in this proof. The procedures of bin cod- 
ing is as follows. 

Assign every a; a G X^ to one of \A4a\ bins in- 
dependently according to the uniform distribution on 

Ma- 

Alice sends the index i of the bin to which x\ 
belongs. Then let (^„(a;^) = i. 

For each (j/",w"), we define the set Sn{y",'w'^) C 



A'_S as 



^n(y",w") 



-log^ 



.W' 



.(a;^|y",w") 



<HiXA\YW)+-f 



where 7 > is an arbitrary fixed small constant, and we 
denote the pair (W^, W§) as W". Then, for given y", 
w", and the received index i, declare ■0„(z, y",w") = 
x^ if there is one and only one pair (a;^,?/", w") such 
that (finix^.) = i and x\ e S'„(j/",w"). Otherwise, 
declare an error. 

We will evaluate the decoding error probability av- 
eraged over randomly chosen encoders as follows. We 
have an error if A^ is not in 5„(y", W") or if there 
is another symbol Xa G -^a i^ the same bin. Thus, we 
can define the events of error 
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4°^ :={xx^^„(r",w")}, 

41) := {3x" ^ XX : Mil) = ^"n(^A) 
andx'Ae5„(r",W")}, 

Then the decoding error probability averaged over ran- 
domly chosen encoders PrfX^ ^ M'PniXA)^^"'^ W)} 
is upper bounded as 

= Pr{£;(:')ui?W} 

Pr{£'„ } is evaluated as 

Pr{i?(0)} = Pt{XI i 5„(r",W")} 



(A-1) 



Pr-i — log 



1 



>H{XA\YW)+-f' 
1 



- V log ■ 

n ■<- — ^ 



"" i=i -PxaI^wI^a 



>i/(XA|rW)+7l, (A- 2) 



Pr 



which tends to as n ^ 00 by the weak law of large 
numbers. To bound Pr{i?„ }, we rewrite it as 

Pr{EW} 

= Pr{3x^ ^ XI : M^l) = M^l) 
andx'Ae5„(r",W")} 



PY^yn 



yr. 



E 



(x^,w")GA'^xW5xW2 



Px" W"|," (xl, w")5„(xl, 2/", w") dy", (A- 3) 



where 



and(xl)e5„(2/",w")}. (A- 4) 

Furthermore, we can rewrite (A- 4) as 



g„(xl,y",w")== Y. ^^{Vn{il)-- 


= ^n(2^1)} 


«XeS„(y",w") 




V ' 




="A^==A 




/ Y- 1 




^ \Ma\ 




|5„(y",w")| 


(\.^ 



If x^ S ^^(^"jW"), then from the definition of 
S'„(y",w"), we have 

Thus, we have 



1 > 



E 



X2.|y"W 



.(a;lly",w«) 



*AGS„(y",w") 

Hence, we have 

|S'„(y",w")| < 2"(-f^(-^A|yw)+7)^ (A- 6) 

From Eqs.(A- 3)-(A- 6), we upper bound Prji^n } as 
Prji^i^)} < / PyAv^ J2 

2n{H{XA\YW)+'r) 

Px^v^'^iyA^l^n rrir-, dy^ 



\Ma\ 



< 



2n{H{X&\YW)+'r) 



\Ma\ 

^ 2-log\MA\2HH{X&\YW)+j) 



(A. 7) 



\M, 



which exponentially tends to as n -^ 00 if 
^\og\MA\>HiXA\YW)+j. 

Since the decoding error probability Pr{X2, 7^ 
i^n{^n{X^),Y^ ,'W")} of randomly chosen code tends 
to as n ^ 00, there exist at least one pair of an 
encoder and a decoder such that the decoding error 
probability PrfX^ ^ ^a} tends to as n ^ 00. 

Appendix B: Proof of lemma 2 

In this Appendix, we will show the proof of lemma 2. 
In section B.l, we introduce a two-universal hash fam- 
ily, which is used for computation of a secret key. In 
section B.2, we define the security of the protocol in the 
sense of the variational distance, and we show the re- 
lation between the security of the protocol in the sense 
of the variational distance and the condition Eq. (2). 
This relation implies that if the security of the proto- 
col in the sense of the variational distance is satisfied, 
then the condition Eq. (2) is satisfied. In section B.3, 
we relate the size |iS| of a secret key S and the size 
\Ma X Mb\ of public messages M = {Ma, Mb) to 
the security of the protocol, and we show that if we 
set iln|5| < H{XaYa\ZWaWb) -^IhIMaxMbI, 
then there exists at least one hash function / that sat- 
isfy Eq. (2) for sufficiently large n. 

For the simplicity of notation, wc denotes 
the integral over R" as / unless otherwise speci- 
fied, and we abbreviates -Pr"M"|Z"W"('i 'l-^"! w") as 
^R"M"|z".w"('i •)• The variational distance ||Pi — P2I 
between the probability distribution Pi and P2 on V is 
defined as 
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l/'i-P2ll:-El^i(")-^2H|. 



(A. 



vev 



B.l two- universal hash family 

In order to extract an almost secret string (secret key 
S) from a partially secret strings (a pair R" of random 
variables X"^ and F^), we use a two- universal hash fam- 
ily T. A set T of functions / : X"^ x 3^^ ^ 5 is said to 
be a two-universal hash family if we have 



1 



P,.({/e^|/(r")^/(r'")})<^ 



51 



(A. 9) 



for any r" ^ r'" e X"^ x y\, where F denotes a random 
variable on IF and Pp denotes the uniform distribution 
on F. For given Eve's received signals z" e M" and re- 
liability information w" € Wa x VVb, the jointly con- 
ditional distribution Pg-^\zn^^n{s,m) of a secret key 
S = /(R") and public message M is given by 



-PsM|z",w"(sim) :— 



Pr 



7 , -fR"M|z",w" 
r"e/-i(s) 

•-1/ 



(r",m) 



where /"^s) := {r" e X^ x y^ \ /(r") = s} is the 
subset of a set A"^ x 3^2 such that /(r") = s. Note 
that since S depends on a hash function /, it should 
be referred as Sf. But, we use the above notation for 
convenience in this paper. 

B.2 The security of the protocol in the sense of the 
variational distance 

In order to prove lemma 2, we define the security of the 
protocol in the sense of the variational distance in this 
section. If a secret key 5* is independent of Eve's infor- 
mation and its distribution Ps is close to the uniform 
distribution Pg on S, we decide that the secret key 5* 
is secure in the sense of the variational distance. In the 
other words, we define the security of the protocol as 



A/:- 



PZ'^iz^ 



E 

w"eW5xW" 



P^ 



W"|z^ 



>(w" 



IP. 



SM|2 



P5XPM|.".w"l|rf2", (A- 10) 



where Pm|z",w" is the marginal distribution of 
Ps'M\z",w", and Pg X Pm.\z".w" is the product distri- 
bution of Pg and P-M\z^,w" 

As an extension of [16, Lemma 1] to continuous 
random variable, the following lemma relates the se- 
curity of the protocol in the sense of the variational 
distance to the security of the protocol in the sense of 
the entropy shown in Eq. (2). 

Lemma 3 The conditional entropy iJ(5'|Z"W"MF) 
is lower bounded by 



HiSlZ^WMF) > (l-E/[A/])ln|5| 

Note that since W" = {W^, W^) and M = {Ma, Mb), 
the conditional entropy _ff(5|Z"W"MP) equivalent 
to H{S\Z''^WIW'^Ma,MbF) in Eq. (11). From this 
lemma, if Ey [Aj] is sufficiently small, a secret key S is 
secure in the sense of the entropy. 
Proof. Let 



A, 



\P^ 



^/,m,z",w" • — ll-* S|m,z",w" 

Then, we can rewrite A /■ as 



Ps\ 



(A. 12) 



V 



A/ = 



PMW"|2"(m,w")A/^ 



m.js"- .w' 



dz'- 



(A. 13) 



For given z" e M", w" G W^ x Wg, and m G 
Ma X Mb, we obtain 

H{S\M ^ m,Z" = z",W" =w",P = /) 
> log \S\ - A/_m,z",w log 



Af « ^ 

(A. 14) 

which follows from the continuity of entropy [15] in the 
similar way as [16, Lemma 1]. 

The second term of Eq. (A- 14) is upper bonded as 
follow. Since t log t is a concave function, we obtain 



E PMW"|."(m,w")A/, 
151 



m,2"-.w' 



log 



15! 



< A/,zlo, 



A 



f,^ 



Af n ,1 
(A. 15) 



from Jensen's inequality for w",m, where we let 
A/,z" := Em,w"^MW"|z"(m,w")A/,m,z",w"- Aver- 
aging Eq. (A- 15) over z", we obtain 

/p^.(z")A/,,.logidz" < A/logM (A. 16) 
J ^f,z A/ 

from Jensen's inequality for z". Moreover, averaging 
Eq. (A- 16) over /, we obtain 



'■^f 



A/ log 



A/ 



<E/[A/]log 



151 



%[A/] 



from Jensen's inequality for /. 



(A. 17) 

n 



Note that when we use Jensen's inequality for a 
continuous random variable, the condition of absolutely 
integrable 



P2"(;^")|A/,,„|dz"<(x) 



(A. 18) 



must be satisfied [17]. In this case, from the fact that 
< Af^z" < 2, this condition is satisfied. 
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B.3 The relation between the size of a secret key and 
the security of the protocol 



The following lemma relates the size \S\ of a secret key 
S and the size \Ma x Mb\ of public messages M to 
the security of the protocol. 



Lemma 4 For the size \S\ of a secret key S, the size 
\A4a X A4b\ of public messages M, and the security of 
the protocol A/, we have 

]E/[A/] 



< 



\S\\Ma xMi 



+2 /'p5(z")^Pw"|.4w") 

-^logPR„|,„w.(r")<a|jdz", (A- 19) 

where Ey denotes expectation for a uniform distribu- 
tion on JF. 



Proof. This proof is based on the techniques in [18, 
Chapter 5]. In the following, we will prove 

%[A/,.-.,w"] 



< 



\S\\Ma xMi 



-2Pr„|,„^„ ({r" ex^xyi 



logPR"|^'.w"(r") < a 

n 



(A- 20) 



where 



^}\z",w" 



-PsM|z"w" ^ -Ps ^ -Pm|^"w"IIi (A- 21) 



Averaging Eq. (A- 20) over z" and w", we obtain 
Eq. (A- 19). 

For given z" G K" and w" e W^ x Wg , we define 
the set An C X^ x y2^ as 

An := |r" eX^xyXl -^ logPR„,,„w"(r") > a\ 



and we define the set A^ as the complement of An on 
^A ^ 3^A- Then, Af^z",^;^ for given / e .F is upper 
bounded by 



ll^SM|z"w" ^ Ps ^ -Pm|z"w"II 
= ^I^R"M|."w"(.r'(s),m) 

-^s(s)^M|."w"(m)| (A- 22) 

= ^|PR"M|."w"(/"'(s)nA„,m) 

s,m 

^^s(s)^M|^"w"(Ai,m) 
+^R"M|."w"(.r'WnA^,m) 
-^s(s)^M|."w"(4'.:m)| (A- 23) 

< ^ /i„(s, m) + ^ Pr"M|2"w" (,/"^(s) n A^, m) 

+ ;^Ps(s)PR„M|."w"(4=„m) (A- 24) 

= ^/i„(s,m) + 2PR„|,„w„(A^). (A- 25) 

where 

/i„(s,m) = |PR.,.M|z"w"(/"^(s)n A„,m) 

-Ps(s)PR„M|."w"(A„,m)|. (A- 26) 

Eq. (A- 22) follows from the definition of the variational 
distance and /^^(s). Eq. (A- 23) follows from the fact 

that (/-i(s) n An) n ir'is) n A-J = 0, /"'(*) = 

(/-i(.s) n A„) U (/-i(s) n A^), and PM|."w"(m) = 
^R"M|2"w"(^«,m) + PR„M|2"w"(^^,m). Eq. (A- 24) 
follows from the triangle inequality. Eq. (A- 25) follows 
from the fact that Usesf^^is) — X^^ x y^^. By regard- 
ing the first term in Eq. (A- 25) as an inner product, 
and by using the Cauchy-Schwarz inequality, we can 
upper bound the first term in Eq. (A- 25) by 

^/i„(s,m) 



< \S\\MAxMB\Y,hn{s,raY (A- 27) 

y s,m 

Furthermore, we can rewrite the inside of the root 
of Eq. (A- 27) as 

^ft,„(s,m)2 

= ^{^R"M|."w"(.r'(s)nA„,m)2 
-2PR„Ml."w'.(r'WnA„,m) 

-Ps('S)^R"M|z"w"(^«, m) 
+ ^s(s)^PR"M|^"w"(Ai,m)2} 

= X!^R-"M|2"w"(/"^(s)nA„,m)2 



_^ r^^R"M[z"w"(^nim) ) 



(A- 28) 



where Eq. (A- 28) follows from the fact that 
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^sis) = ^ and X]^ ■Pr."M|z"w"(/ ^{s) n An,ni) = 
^R"M|z"w"(^nj in)- Then, we can rewrite the first 
term of Eq. (A- 28) as 



%[A/, 



E^- 



Ml, 



.if-\s)nA„,my^ 



s,m r",r'"e/-i(s)nA„ 

^R"M|z"w"(r'",m) 

J2 J2 (5y(r.)J(r-)PR"M|."w"(r",m) 



m r",r'"GA„ 



-pR"M|z"w"(r iHl): 



(A- 29) 



where 5/(r"),/(r'") is Kroneefcer's deita. On the other 
hand, we can rewrite the second term of Eq. (A- 28) as 

/ , ■r^-PR"M|z"w" {^n, m) 

m ' ' 

= J2 J2 T^^R"M|z"w"(l-",m) 
m r",r'"eA„ ' ' 

^R"M|."w"(r'",m). (A- 30) 

Thus, averaging Eq. (A- 28) over /, wc obtain 



1 

W\ 



m r",r'"GA„ '- 

^R"M|."w" (r", m)PR„M|."w" (r'", m). (A- 31) 



Since / is chosen from a universal-hash-family, we ob- 
tain 



Ef 



<5/(r"),/(r"-) 



1 



< 



™n _ „/" 



for r" 7^ r' 



from its definition (shown in Eq. (A- 9)). Thus, 
Eq. (A- 31) is upper bounded by 

E E ■PR"M|z"w"(r",m)PR„M|z"w"(r",m) 

m r"eA„ 

^(r",m)^ (A. 32) 



< E^R"M|."w"(r",m) 

1 



(A- 33) 
(A- 34) 



where Eq. (A- 32) follows from the fact that 
-fR"M|^"w"(r",m) < PR-|2-w"(r") < ^L for any 
r" e A„. Since the root function y/^ is concave func- 
tion, by combining Eqs.(A- 22)-(A- 32) and averaging 
over /, we obtain 



< \S\\Ma X MB\J2h,,{s,m) 
+2PR„|,„^„({r"eA'^xJ^2l 



--logPR„|,„w"(r")<a}) 



< 



\S\\MaxMb\ 

Oan 

2PR"|."w"({r"eA'^xJ^2 

ilogPR„|,„w„(r")<a}). 
n 



(A- 35) 
D 



Corollary 1 Suppose that we set — log \S\ — 

ff(R|ZW) - iloglAl^ X Mb\ - 2S, Ef[Af] is expo- 
nentially small for sufficiently large n. 

Proof. Suppose that we set a = iJ(R|ZW) — S 
for (5 > 0, the second term of Eq. (A- 19) exponen- 
tially tends to as n ^ oo by using the Chernoff 
bound [15]. On the other hand, suppose that we 
set ilog|5| = HiR\ZW) - MoglM^ x Mb\ - 25, 
the first term of Eq. (A- 19) is e""'" and tends to 
as n — > oo. Thus, suppose that we set — log \S\ = 
H{R\ZW) - i log \Ma X Mb\ ~ 26, Ef[A/\ exponen- 
tially tends to as n ^ oo. D 
If Ef [Af] is exponentially small, then the security of 

the protocol in the sense of entropy is guaranteed by 
lemma 3. From this fact and corollary 5, suppose that 
we set ^ log 151 < H{XaYa\ZWaWb) - ^\og\MA x 
MbI, Eq- (2) is satisfied for sufficiently large n. 
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